USN-7061-1: Go vulnerabilities
10 October 2024
Several security issues were fixed in Go.
Releases
Packages
- golang-1.17 - Go programming language compiler - metapackage
Details
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue to read or write files with
elevated privileges. (CVE-2023-29403)
Juho Nurminen discovered that Go incorrectly handled certain crafted
arguments. An attacker could possibly use this issue to execute arbitrary
code at build time. (CVE-2023-29405)
It was discovered that Go incorrectly validated the contents of host
headers. A remote attacker could possibly use this issue to inject
additional headers or entire requests. (CVE-2023-29406)
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a
cross-site scripting attack. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting in a denial of service.
(CVE-2023-39325)
It was discovered that the Go html/template module did not validate errors
returned from MarshalJSON methods. An attacker could possibly use this
issue to inject arbitrary code into the Go template. (CVE-2024-24785)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
-
golang-1.17
-
1.17.13-3ubuntu1.2
-
golang-1.17-go
-
1.17.13-3ubuntu1.2
-
golang-1.17-src
-
1.17.13-3ubuntu1.2
In general, a standard system update will make all the necessary changes.
Related notices
- USN-7109-1: golang-1.18-doc, golang-1.18, golang-1.18-go, golang-1.18-src
- USN-6886-1: golang-1.21-src, golang-1.22-doc, golang-1.21, golang-1.22-src, golang-1.21-go, golang-1.21-doc, golang-1.22, golang-1.22-go
- USN-6574-1: golang-1.21-src, golang-1.20-go, golang-1.21, golang-1.20, golang-1.21-doc, golang-1.21-go, golang-1.20-src, golang-1.20-doc
- USN-6038-1: golang-1.18-doc, golang-1.18, golang-1.18-go, golang-1.18-src
- USN-6140-1: golang-1.19, golang-1.20-go, golang-1.20, golang-1.19-src, golang-1.20-src, golang-1.19-go, golang-1.19-doc, golang-1.20-doc
- USN-6038-2: golang-1.16, golang-1.16-doc, golang-1.16-go, golang-1.13-go, golang-1.13, golang-1.13-src, golang-1.16-src, golang-1.13-doc